diff --git a/kerberos/manifests/init.pp b/kerberos/manifests/init.pp
index 30a10c1..ec1860b 100644
--- a/kerberos/manifests/init.pp
+++ b/kerberos/manifests/init.pp
@@ -20,7 +20,7 @@ class kerberos::client {
 
     case $operatingsystem {
 	centos,fedora: {
-	    package { ["krb5-workstation", "pam_krb5"]:
+	    package { "krb5-workstation":
 		ensure => installed,
 	    }
 	}
@@ -44,6 +44,47 @@ class kerberos::client {
 }
 
 
+# Configure kerberos authentication
+#
+# === Global variables
+#
+#   $kerberos_realm:
+#       Kerberos realm name.
+#
+#   $kerberos_kdc:
+#       Array containing list of Kerberos KDC servers.
+#
+#   $kerberos_kadmin:
+#       Kerberos admin server address. Defaults to first KDC server.
+#
+#   $kerberos_kpasswd:
+#       Kerberos password change server address. Defaults to first
+#       KDC server.
+#
+class kerberos::auth {
+
+    include kerberos::client
+    $kdclist = inline_template('<%= kerberos_kdc.join(" ") -%>')
+
+    case $operatingsystem {
+        "centos": {
+            package { "pam_krb5":
+                ensure => installed,
+            }
+            exec { "authconfig --enablekrb5 --krb5kdc='${kdclist}' --krb5realm='${kerberos_realm}' --krb5adminserver='${kerberos_kadmin}' --update":
+                path    => "/bin:/usr/bin:/sbin:/usr/sbin",
+                unless  => "egrep '^USEKERBEROS=yes\$' /etc/sysconfig/authconfig",
+                before  => Class["kerberos::client"],
+                require => Package["pam_krb5"],
+            }
+        }
+        default: {
+            fail("kerberos::auth not supported on ${operatingsystem}")
+        }
+    }
+}
+
+
 class kerberos::server inherits kerberos::client {
 
     package { "heimdal-server":